@goblin On Linux, a more limited form of sandboxing is provided through namespaces (CLONE_NEWNS, unshare, etc.), and that can be used by systemd to isolate services that do not themselves use sandboxing directly:
https://0pointer.de/blog/projects/security.html
Likewise for the Shepherd:
https://guix.gnu.org/en/blog/2017/running-system-services-in-containers/
I suspect the study slightly underestimates use of sandboxing on Linux. WDYT?
=> More informations about this toot | View the thread | More toots from civodul@toot.aquilenet.fr
=> View goblin@crispsandwi.ch profile
text/geminiThis content has been proxied by September (3851b).